Layer7 API Management

Retrieve OAuth 2.0 Token Assertion sample policy 

03-03-2017 09:21 AM

A sample policy using the 'Retrieve OAuth 2.0 Token' Assertion with the Authorization Code grant type.

This policy makes use of the OAuth 2.0 test clients (id/secret). 


1. Create a new endpoint on your gateway (i.e: /redirect)

2. Import the sample policy

3. Edit the OAuth2Client test client and change the callback URL to the endpoint created in step 1

4. Access the endpoint via browser (i.e:


An HTML response will be received with your token.


This policy is provided as-is without warranty or support of any kind and intended only for guidance in using the assertion. This must not be used on production systems.

0 Favorited
1 Files
zip file   1 KB   1 version
Uploaded - 05-29-2019

Tags and Keywords


07-25-2018 12:08 AM



The assertion i am talking about is "RetrieveOAuth2Token" which comes with MAG installation . I can see all the other Grant_Type in the drop down of this assertion except "SAML Grant_Type".

I was trying to use this custom assertion to enable SAML OAuth2 handshake to generate token based on SAML bearer token in input request.


Meanwhile, I have found another way by modifying the OTK policies to make it work.

07-10-2018 12:25 PM


I am not sure if I understand your desired flow. Requiring an oauth token is usually used at an oauth protected API, independent of a grant_type. Have you got more details about your case?

07-09-2018 11:21 PM



Is there anyway to use the "retrieveOauth2 Token" assertion for Grant_Type: SAML? I don't see any option to select this Grant type.

I have made the required changes to OTK policies to enable SAML grant type and now need to use this assertion to generate Oauth Token.

11-28-2017 12:40 PM

I have recently added a blog post about available variables when using "OTK Require OAuth 2.0 Token". Please check it out, it may also help:

Tip of the week: protecting APIs using OAuth / OTK 

11-16-2017 09:45 AM

MAG (Mobile API Gateway) is a separate component that must be purchased.

You can read more about MAG here to see if it fits your needs: Mobile API Gateway Home - CA Mobile API Gateway - 4.0 - CA Technologies Documentation 

11-14-2017 06:51 AM

what is MAG and where can i download it?

I have SSG 9.2 with Oauth2 4v installed.

05-04-2017 09:18 AM

Hi karpa08,


I just tested the 3 sample policies on OTK 4.0 (GW 9.2, MAG 4.0) without issue. If you are running into problems please post a new question on communities with the error and I will be happy to look into further.




05-04-2017 04:25 AM

Hello Joe,


Thanks for the contribution here. Does the sample policy that you provided work with OTK 4.0? I try it alongside Gateway 9.2 and MAG 4.0 but without success.





04-05-2017 09:04 AM

Samples of Client Credentials and Resource Owner Password Credentials grants can be found here:


Client Creds 




04-05-2017 08:53 AM

Hi Rudra,


Depending on your needs (and level of trust with the client app) you can use the Client Credentials or Resource Owner Password Credentials grant types.

I will upload some samples for you.




04-04-2017 09:46 PM

Hi All,


Thanks for your response. I got MAG installed and it is working now.

This is good for testing the OAuth2 using web form/login page, but is there any way to make it work for Mobile apps?

Mobile Apps don't need to have a login page presented for the first time login, to get a token. 

03-14-2017 10:50 AM

You also need a valid MAG license installed to be able to use this assertion. Because it comes with MAG it needs a MAG license :-)




03-14-2017 08:23 AM

Hi Rudra,


Is it showing disabled or 'Unknown assertion' as seen below? The assertion is actually installed as part of MAG (Mobile API Gateway), I suspect you may not have that installed.





03-13-2017 10:37 PM



I imported the policy into CA API gateway policy manager 9.2.0  with OTK 3.6 installed.

But after importing the policy, it is showing assertion "RetrieveOAUTH2Token' as disabled.

How to get this enabled? Do i have to request for this assertion to CA ?



Rudra Singh

03-03-2017 02:25 PM

Thanks @dasjo02, seeing numerous requests for this type of example. 

Related Entries and Links

No Related Resource entered.